Earlier today, the Supreme Court released a landmark decision dealing with privacy on the Internet. The main issue in R v Spencer 2014 SCC 43 was whether a user of the Internet has a reasonable expectation of privacy in his or her basic subscriber information held by the user’s ISP that prevents the police from obtaining this information from the ISP without a warrant or court order. Prior to the decision some courts had ruled that ISPs could turn over subscriber contact details associated with the person’s IP address to police without a warrant or court order. The Court rejected this line of cases ruling that a person has a reasonable expectation of privacy associated with Internet activities and that the “lawful authority” exemption in PIPEDA does not create a basis to turn such information to the police.

The case came before the Court in an appeal from the accused’s conviction of a charge of possession of child pornography and a dismissal of a charge of making child pornography available using the P2P Limewire file sharing program. The police using well established investigatory techniques obtained the accused’s IP address by monitoring his internet file sharing activities. Armed with this information, it requested Shaw to identify the subscriber associated with the account (the accused’s sister), to enable the police to identify the accused and seize his computer to obtain evidence of these crimes. The police did not obtain a warrant or court order requiring Shaw to turn over the subscriber information relying instead on an exemption in PIPEDA that permits an organization to disclose personal information to a governmental institution with lawful authority.

Spencer argued that the disclosure of his contact details was an unreasonable search under Section 8 of the Charter. He contended that he had a reasonable expectation of privacy that his internet activities would remain anonymous and private. Further, he argued that PIPEDA protected his personal information from being disclosed and the exemption for disclosure based on the police’s lawful authority did not apply. The Court agreed with Spencer.

In siding with Spencer, the Court made a number of very important observations and pronouncements concerning the Charter protection of privacy in the Internet context including the following.

The Charter protection against unreasonable searches is engaged when police attempt to obtain subscriber information matching an IP address

An individual has a reasonable expectation of privacy in basic subscriber information. While that information may appear to be mundane, the “potential of that information to reveal intimate details of the lifestyle and personal choices of the individual must also be considered”. In the Internet context this entails the individual’s particular Internet usage. In this connection, the Court stressed the strong privacy interest individuals have in maintaining the anonymity of their online activities. According to the Court:

[42] The notion of privacy as anonymity is not novel. It appears in a wide array of contexts ranging from anonymous surveys to the protection of police informant identities. A person responding to a survey readily agrees to provide what may well be highly personal information. A police informant provides information about the commission of a crime. The information itself is not private — it is communicated precisely so that it will be communicated to others. But the information is communicated on the basis that it will not be identified with the person providing it. Consider situations in which the police want to obtain the list of names that correspond to the identification numbers on individual survey results or the defence in a criminal case wants to obtain the identity of the informant who has provided information that has been disclosed to the defence. The privacy interest at stake in these examples is not simply the individual’s name, but the link between the identified individual and the personal information provided anonymously…

[43] Westin identifies anonymity as one of the basic states of privacy. Anonymity permits individuals to act in public places but to preserve freedom from identification and surveillance..

[45] Recognizing that anonymity is one conception of informational privacy seems to me to be particularly important in the context of Internet usage. One form of anonymity, as Westin explained, is what is claimed by an individual who wants to present ideas publicly but does not want to be identified as their author: p. 32. Here, Westin, publishing in 1970, anticipates precisely one of the defining characteristics of some types of Internet communication. The communication may be accessible to millions of people but it is not identified with its author.

[46] Moreover, the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users. Browsing logs, for example, may provide detailed information about users’ interests. Search engines may gather records of users’ search terms. Advertisers may track their users across networks of websites, gathering an overview of their interests and concerns. “Cookies” may be used to track consumer habits and may provide information about the options selected within a website, which web pages were visited before and after the visit to the host website and any other personal information provided…The user cannot fully control or even necessarily be aware of who may observe a pattern of online activity, but by remaining anonymous — by guarding the link between the information and the identity of the person to whom it relates — the user can in large measure be assured that the activity remains private…

[47] In my view, the identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information…subscriber information, by tending to link particular kinds of information to identifiable individuals, may implicate privacy interests relating not simply to the person’s name or address but to his or her identity as the source, possessor or user of that information.

[50] Applying this framework to the facts of the present case is straightforward. In the circumstances of this case, the police request to link a given IP address to subscriber information was in effect a request to link a specific person (or a limited number of persons in the case of shared Internet services) to specific online activities. This sort of request engages the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities, activities which have been recognized by the Court in other circumstances as engaging significant privacy interests…

[51] I conclude therefore that the police request to Shaw for subscriber information corresponding to specifically observed, anonymous Internet activity engages a high level of informational privacy.

An individual has a reasonable expectation of privacy that his/her subscriber contact details will not be handed over to the police based on a request and a mere assertion of “lawful authority”, but without a warrant or court order.

The Court held the contractual and statutory framework was relevant to, but not necessarily determinative of, whether there is a reasonable expectation of privacy. In this case Shaw’s Acceptable Use Policyprovided that Shaw was authorized to cooperate with law enforcement authorities in the investigation of criminal violations, including supplying information identifying a subscriber in accordance with its Privacy Policy. That policy stated that the subscriber information was governed by “strict confidentiality standards and policies” to keep the information secure and to ensure it is treated in accordance with PIPEDA. The Privacy Policy also provided that “Shaw may disclose Customer’s Personal Information to: . . . a third party or parties.. if disclosure is required by law, in accordance PIPEDA. s.7(3)(c.1)(ii) of PIPEDA permits disclosure to a government institution that has requested the disclosure for the purpose of law enforcement and has stated its “lawful authority” for the request. This exemption could not be relied upon because a request by the police for subscriber information would amount to an unlawful search contrary to the individual’s reasonable expectations of privacy.

[70] Section 487.014(1) of the Criminal Code provides that a peace officer does not need a production order “to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing”. PIPEDA prohibits disclosure of the information unless the requirements of the law enforcement provision are met, including that the government institution discloses a lawful authority to obtain, not simply to ask for the information: s. 7(3)(c.1)(ii). On the Crown’s reading of these provisions, PIPEDA’s protections become virtually meaningless in the face of a police request for personal information: the “lawful authority” is a simple request without power to compel and, because there was a simple request, the institution is no longer prohibited by law from disclosing the information.

[71] “Lawful authority” in s. 7(3)(c.1)(ii) of PIPEDA must be contrasted with s. 7(3)(c), which provides that personal information may be disclosed without consent where “required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records”. The reference to “lawful authority” in s. 7(3)(c.1)(ii) must mean something other than a “subpoena or [search] warrant”. “Lawful authority” may include several things. It may refer to the common law authority of the police to ask questions relating to matters that are not subject to a reasonable expectation of privacy. It may refer to the authority of police to conduct warrantless searches under exigent circumstances or where authorized by a reasonable law: Collins. As the intervener the Privacy Commissioner of Canada submitted, interpreting “lawful authority” as requiring more than a bare request by law enforcement gives this term a meaningful role to play in the context of s. 7(3) and should be preferred over alternative meanings that do not do so. In short, I agree with the Ontario Court of Appeal in Ward on this point that neither s. 487.014(1) of the Code, nor PIPEDA creates any police search and seizure powers: para. 46…

[74] The subscriber information obtained by police was used in support of the Information to Obtain which led to the issuance of a warrant to search Ms. Spencer’s residence. Without that information, the warrant could not have been obtained. It follows that if that information is excluded from consideration as it must be because it was unconstitutionally obtained, there were not adequate grounds to sustain the issuance of the warrant, and the search of the residence was therefore unlawful. I conclude, therefore, that the conduct of the search of Ms. Spencer’s residence violated the Charter: Plant, at p. 296; Hunter v. Southam, at p. 161. Nothing in these reasons addresses or diminishes any existing powers of the police to obtain subscriber information in exigent circumstances such as, for example, where the information is required to prevent imminent bodily harm. There were no such circumstances here.

Although the disclosure of Mr Spencer’s contact details was considered an unlawful search in the circumstances, the Court ruled it was not an error not to have excluded it in the circumstances.

The Fault Element of the “Making Available” Offence

An important aspect of the case also involved the Court’s ruling on what is required to prove “making available” child pornography. On this question, the Court held that the crime of making available is complete “once the accused knowingly makes pornography available to others.”No intent to make computer files containing child pornography available to others using that program or actual knowledge that the file sharing program makes files available to others is needed. The offence can also be made out where the accused is wilfully blind. The law imputes knowledge to an accused whose suspicion is aroused to the point where he or she sees the need for further inquiries, but deliberately chooses not to make those inquiries. That was a live issue in the case that justified ordering a new trial on that charge.

[85] The evidence calling for consideration of wilful blindness included, for example, evidence that in Mr. Spencer’s statement to police he acknowledged that LimeWire is a file sharing program; that he had changed at least one default setting in LimeWire; that when LimeWire is first installed on a computer, it displays information notifying the user that it is a file sharing program; that at the start of each session, LimeWire notifies the user that it is a file sharing program and warns of the ramifications of file sharing; and that LimeWire contains built-in visual indicators that show the progress of the uploading of files by others from the user’s computer: paras. 88-89.

[86] Given that wilful blindness was a live issue and that the trial judge’s error in holding that a positive act was required to meet the mens rea component of the making available offence resulted in his not considering the wilful blindness issue, I agree with Caldwell J.A. that the error could reasonably be thought to have had a bearing on his decision to acquit..

This morning, Ryerson University and Deloitte announced a new certification framework based on Privacy by Design principles. Privacy by Design is a set of principles that builds privacy into the design, operation and management of ...

Archives

This website may use cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

disable

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.